bixby-auth 0.1.0

data/spec/headers_spec.rb

@@ -0,0 +1,356 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe "ApiAuth::Headers" do
+
+  CANONICAL_STRING = "text/plain,e59ff97941044f85df5297e1c302d260,/resource.xml?foo=bar&bar=foo,Mon, 23 Jan 1984 03:29:56 GMT"
+
+  describe "with Net::HTTP::Put::Multipart" do
+
+    before(:each) do
+      request = Net::HTTP::Put::Multipart.new("/resource.xml?foo=bar&bar=foo",
+        'file' => UploadIO.new(File.new('spec/fixtures/upload.png'), 'image/png', 'upload.png'))
+      ApiAuth.sign!(request, "some access id", "some secret key")
+      @headers = ApiAuth::Headers.new(request)
+    end
+
+    it "should set the content-type" do
+      @headers.canonical_string.split(',')[0].should match 'multipart/form-data; boundary='
+    end
+
+    it "should generate the proper content-md5" do
+      @headers.canonical_string.split(',')[1].should match 'zap0d6zuh6wRBSrsvO2bcw=='
+    end
+
+  end
+
+  describe "with Net::HTTP" do
+
+    before(:each) do
+      @request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+        'content-type' => 'text/plain',
+        'content-md5' => 'e59ff97941044f85df5297e1c302d260',
+        'date' => "Mon, 23 Jan 1984 03:29:56 GMT")
+      @headers = ApiAuth::Headers.new(@request)
+    end
+
+    it "should generate the proper canonical string" do
+      @headers.canonical_string.should == CANONICAL_STRING
+    end
+
+    it "should set the authorization header" do
+      @headers.sign_header("alpha")
+      @headers.authorization_header.should == "alpha"
+    end
+
+    it "should set the DATE header if one is not already present" do
+      @request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+        'content-type' => 'text/plain',
+        'content-md5' => 'e59ff97941044f85df5297e1c302d260')
+      ApiAuth.sign!(@request, "some access id", "some secret key")
+      @request['DATE'].should_not be_nil
+    end
+
+    it "should not set the DATE header just by asking for the canonical_string" do
+      request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+        'content-type' => 'text/plain',
+        'content-md5' => 'e59ff97941044f85df5297e1c302d260')
+      headers = ApiAuth::Headers.new(request)
+      headers.canonical_string
+      request['DATE'].should be_nil
+    end
+
+    context "md5_mismatch?" do
+      it "is false if no md5 header is present" do
+        request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+        'content-type' => 'text/plain')
+        headers = ApiAuth::Headers.new(request)
+        headers.md5_mismatch?.should be_false
+      end
+    end
+  end
+
+  describe "with RestClient" do
+
+    before(:each) do
+      headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
+                  'Content-Type' => "text/plain",
+                  'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
+      @request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
+        :headers => headers,
+        :method => :put)
+      @headers = ApiAuth::Headers.new(@request)
+    end
+
+    it "should generate the proper canonical string" do
+      @headers.canonical_string.should == CANONICAL_STRING
+    end
+
+    it "should set the authorization header" do
+      @headers.sign_header("alpha")
+      @headers.authorization_header.should == "alpha"
+    end
+
+    it "should set the DATE header if one is not already present" do
+      headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
+                  'Content-Type' => "text/plain" }
+      @request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
+        :headers => headers,
+        :method => :put)
+      ApiAuth.sign!(@request, "some access id", "some secret key")
+      @request.headers['DATE'].should_not be_nil
+    end
+
+    it "should not set the DATE header just by asking for the canonical_string" do
+      headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
+                  'Content-Type' => "text/plain" }
+      request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
+        :headers => headers,
+        :method => :put)
+      headers = ApiAuth::Headers.new(request)
+      headers.canonical_string
+      request.headers['DATE'].should be_nil
+    end
+
+    it "doesn't mess up symbol based headers" do
+      headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
+                  :content_type => "text/plain",
+                  'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
+      @request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
+        :headers => headers,
+        :method => :put)
+      @headers = ApiAuth::Headers.new(@request)
+      ApiAuth.sign!(@request, "some access id", "some secret key")
+      @request.processed_headers.should have_key('Content-Type')
+    end
+  end
+
+  describe "with Curb" do
+
+    before(:each) do
+      headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
+                  'Content-Type' => "text/plain",
+                  'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
+      @request = Curl::Easy.new("/resource.xml?foo=bar&bar=foo") do |curl|
+        curl.headers = headers
+      end
+      @headers = ApiAuth::Headers.new(@request)
+    end
+
+    it "should generate the proper canonical string" do
+      @headers.canonical_string.should == CANONICAL_STRING
+    end
+
+    it "should set the authorization header" do
+      @headers.sign_header("alpha")
+      @headers.authorization_header.should == "alpha"
+    end
+
+    it "should set the DATE header if one is not already present" do
+      headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
+                  'Content-Type' => "text/plain" }
+      @request = Curl::Easy.new("/resource.xml?foo=bar&bar=foo") do |curl|
+        curl.headers = headers
+      end
+      ApiAuth.sign!(@request, "some access id", "some secret key")
+      @request.headers['DATE'].should_not be_nil
+    end
+
+    it "should not set the DATE header just by asking for the canonical_string" do
+      headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
+                  'Content-Type' => "text/plain" }
+      request = Curl::Easy.new("/resource.xml?foo=bar&bar=foo") do |curl|
+        curl.headers = headers
+      end
+      headers = ApiAuth::Headers.new(request)
+      headers.canonical_string
+      request.headers['DATE'].should be_nil
+    end
+  end
+
+  describe "with ActionController" do
+
+    let(:request_klass){ ActionDispatch::Request rescue ActionController::Request }
+
+    before(:each) do
+      @request = request_klass.new(
+        'PATH_INFO' => '/resource.xml',
+        'QUERY_STRING' => 'foo=bar&bar=foo',
+        'REQUEST_METHOD' => 'PUT',
+        'CONTENT_MD5' => 'e59ff97941044f85df5297e1c302d260',
+        'CONTENT_TYPE' => 'text/plain',
+        'HTTP_DATE' => 'Mon, 23 Jan 1984 03:29:56 GMT')
+      @headers = ApiAuth::Headers.new(@request)
+    end
+
+    it "should generate the proper canonical string" do
+      @headers.canonical_string.should == CANONICAL_STRING
+    end
+
+    it "should set the authorization header" do
+      @headers.sign_header("alpha")
+      @headers.authorization_header.should == "alpha"
+    end
+
+    it "should set the DATE header if one is not already present" do
+      @request = request_klass.new(
+        'PATH_INFO' => '/resource.xml',
+        'QUERY_STRING' => 'foo=bar&bar=foo',
+        'REQUEST_METHOD' => 'PUT',
+        'CONTENT_MD5' => 'e59ff97941044f85df5297e1c302d260',
+        'CONTENT_TYPE' => 'text/plain')
+      ApiAuth.sign!(@request, "some access id", "some secret key")
+      @request.headers['DATE'].should_not be_nil
+    end
+
+    it "should not set the DATE header just by asking for the canonical_string" do
+      request = request_klass.new(
+        'PATH_INFO' => '/resource.xml',
+        'QUERY_STRING' => 'foo=bar&bar=foo',
+        'REQUEST_METHOD' => 'PUT',
+        'CONTENT_MD5' => 'e59ff97941044f85df5297e1c302d260',
+        'CONTENT_TYPE' => 'text/plain')
+      headers = ApiAuth::Headers.new(request)
+      headers.canonical_string
+      request.headers['DATE'].should be_nil
+    end
+  end
+
+  describe "with Rack::Request" do
+
+    before(:each) do
+      headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
+                  'Content-Type' => "text/plain",
+                  'Date' => "Mon, 23 Jan 1984 03:29:56 GMT"
+                  }
+      @request = Rack::Request.new(Rack::MockRequest.env_for("/resource.xml?foo=bar&bar=foo", :method => :put).merge!(headers))
+      @headers = ApiAuth::Headers.new(@request)
+    end
+
+    it "should generate the proper canonical string" do
+      @headers.canonical_string.should == CANONICAL_STRING
+    end
+
+    it "should set the authorization header" do
+      @headers.sign_header("alpha")
+      @headers.authorization_header.should == "alpha"
+    end
+
+    it "should set the DATE header if one is not already present" do
+      headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
+                  'Content-Type' => "text/plain" }
+      @request = Rack::Request.new(Rack::MockRequest.env_for("/resource.xml?foo=bar&bar=foo", :method => :put).merge!(headers))
+      ApiAuth.sign!(@request, "some access id", "some secret key")
+      @request.env['DATE'].should_not be_nil
+    end
+
+    it "should not set the DATE header just by asking for the canonical_string" do
+      headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
+                  'Content-Type' => "text/plain" }
+      request = Rack::Request.new(Rack::MockRequest.env_for("/resource.xml?foo=bar&bar=foo", :method => :put).merge!(headers))
+      headers = ApiAuth::Headers.new(request)
+      headers.canonical_string
+      request.env['DATE'].should be_nil
+    end
+  end
+
+  describe "with HTTPI" do
+     before(:each) do
+       @request = HTTPI::Request.new("http://localhost/resource.xml?foo=bar&bar=foo")
+       @request.headers.merge!({
+         'content-type' => 'text/plain',
+         'content-md5'  => 'e59ff97941044f85df5297e1c302d260',
+         'date'         => "Mon, 23 Jan 1984 03:29:56 GMT"
+       })
+       @headers = ApiAuth::Headers.new(@request)
+     end
+
+     it "should generate the proper canonical string" do
+       @headers.canonical_string.should == CANONICAL_STRING
+     end
+
+     it "should set the authorization header" do
+       @headers.sign_header("alpha")
+       @headers.authorization_header.should == "alpha"
+     end
+
+     it "should set the DATE header if one is not already present" do
+       @request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+         'content-type' => 'text/plain',
+         'content-md5' => 'e59ff97941044f85df5297e1c302d260')
+       ApiAuth.sign!(@request, "some access id", "some secret key")
+       @request['DATE'].should_not be_nil
+     end
+
+     it "should not set the DATE header just by asking for the canonical_string" do
+       request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+         'content-type' => 'text/plain',
+         'content-md5' => 'e59ff97941044f85df5297e1c302d260')
+       headers = ApiAuth::Headers.new(request)
+       headers.canonical_string
+       request['DATE'].should be_nil
+     end
+
+     context "md5_mismatch?" do
+       it "is false if no md5 header is present" do
+         request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+         'content-type' => 'text/plain')
+         headers = ApiAuth::Headers.new(request)
+         headers.md5_mismatch?.should be_false
+       end
+     end
+   end
+
+  describe "with Bixby::SignedJsonRequest" do
+
+    before(:each) do
+      @json_req = Bixby::JsonRequest.new("foo", "bar")
+      @request = Bixby::SignedJsonRequest.new(@json_req)
+      @request.headers.merge!({
+        'Content-Type' => 'text/plain',
+        'Content-MD5'  => 'e59ff97941044f85df5297e1c302d260',
+        'Date'         => "Mon, 23 Jan 1984 03:29:56 GMT"
+      })
+      @headers = ApiAuth::Headers.new(@request)
+    end
+
+    it "should generate the proper canonical string" do
+      @headers.canonical_string.should == CANONICAL_STRING.gsub("/resource.xml?foo=bar&bar=foo", "/api")
+    end
+
+    it "should set the authorization header" do
+      @headers.sign_header("alpha")
+      @headers.authorization_header.should == "alpha"
+    end
+
+    it "should set the DATE header if one is not already present" do
+      @request = Bixby::SignedJsonRequest.new(@json_req)
+      @request.headers.merge!({
+        'Content-Type' => 'text/plain',
+        'Content-MD5' => 'e59ff97941044f85df5297e1c302d260'
+      })
+      ApiAuth.sign!(@request, "some access id", "some secret key")
+      @request.headers['Date'].should_not be_nil
+    end
+
+    it "should not set the DATE header just by asking for the canonical_string" do
+      request = Bixby::SignedJsonRequest.new(@json_req)
+      @request.headers.merge!({
+        'Content-Type' => 'text/plain',
+        'Content-MD5' => 'e59ff97941044f85df5297e1c302d260'
+      })
+      headers = ApiAuth::Headers.new(request)
+      headers.canonical_string
+      request.headers['date'].should be_nil
+    end
+
+    context "md5_mismatch?" do
+      it "is false if no md5 header is present" do
+        request = Bixby::SignedJsonRequest.new(@json_req)
+        request.headers.merge!({'Content-Type' => 'text/plain'})
+        headers = ApiAuth::Headers.new(request)
+        headers.md5_mismatch?.should be_false
+      end
+    end
+  end
+
+end

data/spec/helpers_spec.rb

@@ -0,0 +1,14 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe "ApiAuth::Helpers" do
+  
+  it "should strip the new line character on a Base64 encoding" do
+    ApiAuth.b64_encode("some string").should_not match(/\n/)
+  end
+  
+  it "should properly upcase a hash's keys" do
+    hsh = { "JoE" => "rOOLz" }
+    ApiAuth.capitalize_keys(hsh)["JOE"].should == "rOOLz"
+  end
+  
+end

data/spec/railtie_spec.rb

@@ -0,0 +1,134 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe "Rails integration" do
+
+  API_KEY_STORE = { "1044" => "l16imAXie1sRMcJODpOG7UwC1VyoqvO13jejkfpKWX4Z09W8DC9IrU23DvCwMry7pgSFW6c5S1GIfV0OY6F/vUA==" }
+
+  describe "Rails controller integration" do
+
+    class ApplicationController < ActionController::Base
+
+    private
+
+      def require_api_auth
+        if (access_id = get_api_access_id_from_request)
+          begin
+            if api_authenticated?(API_KEY_STORE[access_id]) then
+              return true
+            end
+          rescue ApiAuth::RequestTooOld
+          end
+        end
+
+        respond_to do |format|
+          format.xml { render :xml => "You are unauthorized to perform this action.", :status => 401 }
+          format.json { render :json => "You are unauthorized to perform this action.", :status => 401 }
+    			format.html { render :text => "You are unauthorized to perform this action", :status => 401 }
+        end
+      end
+
+    end
+
+    class TestController < ApplicationController
+      before_filter :require_api_auth, :only => [:index]
+
+      if defined?(ActionDispatch)
+        def self._routes
+          ActionDispatch::Routing::RouteSet.new
+        end
+      end
+
+      def index
+        render :text => "OK"
+      end
+
+      def public
+        render :text => "OK"
+      end
+
+      def rescue_action(e); raise(e); end
+    end
+
+    unless defined?(ActionDispatch)
+      ActionController::Routing::Routes.draw {|map| map.resources :test }
+    end
+
+    def generated_response(request, action = :index)
+      if defined?(ActionDispatch)
+        TestController.action(action).call(request.env).last
+      else
+        request.action = action.to_s
+        request.path = "/#{action.to_s}"
+        TestController.new.process(request, ActionController::TestResponse.new)
+      end
+    end
+
+    it "should permit a request with properly signed headers" do
+      request = ActionController::TestRequest.new
+      request.env['DATE'] = Time.now.utc.httpdate
+      ApiAuth.sign!(request, "1044", API_KEY_STORE["1044"])
+      response = generated_response(request, :index)
+      response.code.should == "200"
+    end
+
+    it "should forbid a request with properly signed headers but timestamp > 15 minutes" do
+      request = ActionController::TestRequest.new
+      request.env['DATE'] = "Mon, 23 Jan 1984 03:29:56 GMT"
+      ApiAuth.sign!(request, "1044", API_KEY_STORE["1044"])
+      response = generated_response(request, :index)
+      response.code.should == "401"
+    end
+
+    it "should insert a DATE header in the request when one hasn't been specified" do
+      request = ActionController::TestRequest.new
+      ApiAuth.sign!(request, "1044", API_KEY_STORE["1044"])
+      request.headers['DATE'].should_not be_nil
+    end
+
+    it "should forbid an unsigned request to a protected controller action" do
+      request = ActionController::TestRequest.new
+      response = generated_response(request, :index)
+      response.code.should == "401"
+    end
+
+    it "should forbid a request with a bogus signature" do
+      request = ActionController::TestRequest.new
+      request.env['Authorization'] = "APIAuth bogus:bogus"
+      response = generated_response(request, :index)
+      response.code.should == "401"
+    end
+
+    it "should allow non-protected controller actions to function as before" do
+      request = ActionController::TestRequest.new
+      response = generated_response(request, :public)
+      response.code.should == "200"
+    end
+
+  end
+
+  describe "Rails ActiveResource integration" do
+
+    class TestResource < ActiveResource::Base
+      with_api_auth "1044", API_KEY_STORE["1044"]
+      self.site = "http://localhost/"
+      self.format = :xml
+    end
+
+    it "should send signed requests automagically" do
+      timestamp = Time.parse("Mon, 23 Jan 1984 03:29:56 GMT")
+      Time.should_receive(:now).at_least(1).times.and_return(timestamp)
+      ActiveResource::HttpMock.respond_to do |mock|
+        mock.get "/test_resources/1.xml",
+          {
+            'Authorization' => 'APIAuth 1044:IbTx7VzSOGU55HNbV4y2jZDnVis=',
+            'Accept' => 'application/xml',
+            'DATE' => "Mon, 23 Jan 1984 03:29:56 GMT"
+          },
+          { :id => "1" }.to_xml(:root => 'test_resource')
+      end
+      TestResource.find(1)
+    end
+
+  end
+
+end

data/spec/spec_helper.rb

@@ -0,0 +1,27 @@
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'rspec'
+require 'api_auth'
+require 'amatch'
+require 'rest_client'
+require 'curb'
+require 'httpi'
+require 'net/http/post/multipart'
+
+require 'active_support'
+require 'active_support/test_case'
+require 'action_controller'
+require 'action_controller/test_case'
+require 'active_resource'
+require 'active_resource/http_mock'
+
+require 'bixby-auth'
+require 'bixby-common'
+
+# Requires supporting files with custom matchers and macros, etc,
+# in ./support/ and its subdirectories.
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
+
+RSpec.configure do |config|
+
+end

data/spec/test_helper.rb

@@ -0,0 +1,2 @@
+module TestHelper
+end

data/test/helper.rb

@@ -0,0 +1,35 @@
+require 'simplecov'
+
+module SimpleCov::Configuration
+  def clean_filters
+    @filters = []
+  end
+end
+
+SimpleCov.configure do
+  clean_filters
+  load_adapter 'test_frameworks'
+end
+
+ENV["COVERAGE"] && SimpleCov.start do
+  add_filter "/.rvm/"
+end
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'minitest/unit'
+
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+require 'bixby-auth'
+
+class MiniTest::Unit::TestCase
+end
+
+MiniTest::Unit.autorun

data/test/test_bixby-auth.rb

@@ -0,0 +1,7 @@
+require 'helper'
+
+class TestBixbyAuth < MiniTest::Unit::TestCase
+  def test_something_for_real
+    flunk "hey buddy, you should probably rename this file and start testing for real"
+  end
+end